Twilio, which earlier this month became a sophisticated phishing attack, disclosed last week that the threat actors also managed to gain access to the accounts of 93 individual users of its Authy two-factor authentication (2FA) service.
The communication tools company said the unauthorized access made it possible for the adversary to register additional devices to those accounts. It has since identified and removed the illegitimately added devices from the impacted accounts.
Authy, acquired by Twilio in February 2015, allows safeguarding online accounts with a second security layer to prevent account takeover attacks. It's estimated to have nearly 75 million users.
Twilio further noted its investigation as of August 24, 2022, turned up 163 affected customers, up from 125 it reported on August 10, whose accounts it said were hacked for a limited period of time.
Besides Twilio, the sprawling campaign, dubbed 0ktapus by Group-IB, is believed to have struck 136 companies, including Klaviyo, MailChimp, and an unsuccessful attack against Cloudflare that was thwarted by the company's use of hardware security tokens.
Targeted companies span technology, telecommunications, and cryptocurrency sectors, with the campaign employing a phishing kit to capture usernames, passwords, and one-time passwords (OTPs) via rogue landing pages that mimicked the Okta authentication pages of the respective organizations.
The data was then secretly funneled to a Telegram account controlled by the cybercriminals in real-time, which enabled the threat actor to pivot and target other services in what's called a supply chain attack aimed at DigitalOcean, Signal, and Okta, effectively widening the scope and scale of the intrusions.
In all, the phishing expedition is believed to have netted the threat actor at least 9,931 user credentials and 5,441 multi-factor authentication codes.
Okta, for its part, confirmed the credential theft had a ripple effect, resulting in the unauthorized access of a small number of mobile phone numbers and associated SMS messages containing OTPs through Twilio's administrative console.
Stating that the OTPs have a five-minute validity period, Okta said the incident involved the attacker directly searching for 38 unique phone numbers on the console – nearly all of them belonging to one single entity – with the goal of expanding their access.
"The threat actor used credentials (usernames and passwords) previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for one-time passwords sent in those challenges," Okta theorized.
Okta, which is tracking the hacking group under the moniker Scatter Swine, further revealed its analysis of the incident logs "uncovered an event in which the threat actor successfully tested this technique against a single account unrelated to the primary target."
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
Like in the case of Cloudflare, the identity and access management (IAM) provider reiterated that it's aware of several cases where the attacker sent out a blast of SMS messages targeting employees and their family members.
"The threat actor likely harvests mobile phone numbers from commercially available data aggregation services that link phone numbers to employees at specific organizations," Okta pointed out.
Another supply chain victim of the campaign is food delivery service DoorDash, which said it detected "unusual and suspicious activity from a third-party vendor's computer network," prompting the company to disable the vendor's access to its system to contain the breach.
According to the company, the break-in permitted the attacker to access names, email addresses, delivery addresses, and phone numbers associated with a "small percentage of individuals." In select cases, basic order information and partial payment card information was also accessed.
DoorDash, which has directly notified affected users, noted that the unauthorized party also obtained delivery drivers' (aka Dashers) names and phone numbers or email addresses, but emphasized that passwords, bank account numbers, and Social Security numbers were not accessed.
The San Francisco-based firm did not divulge additional details on who the third-party vendor is, but it told TechCrunch that the breach is linked to the 0ktapus phishing campaign.